Page MenuHomePhabricator
Create Task
Maniphest T355691

Ensure that phabricator.wikimedia.org adheres to Google's sender guidelines
Closed, ResolvedPublic
Actions

Description

As a followup to T355449: Ensure wikimedia.org adheres to Google's sender guidelines, where @thcipriani wrote:

I realize you mentioned Phab and Gerrit are out of scope, but for the purposes of gathering data: looking at exim logs, Phab sent 10,740 emails to gmail addresses yesterday and 7195 today (since we did the phab upgrade on Saturday, I only have two days of historical data on disk there). Gerrit has hovered between 2k–3k emails to gmail addresses per day.

From sender guidelines:

If you send more than 5,000 message per day, your marketing and subscribed messages must support one-click unsubscribe.

To set up one-click unsubscribe, include both of these headers in outgoing messages:

Phab/Phorge mails sent have a preference management link in the body, but no List-Unsubscribe, let alone List-Unsubscribe-Post. A quick search didn't find anything about this upstream.

Requirements for all senders

  • Set up SPF or DKIM email authentication for your domain.
  • Ensure that sending domains or IPs have valid forward and reverse DNS records, also referred to as PTR records.
  • Use a TLS connection for transmitting email.
  • Keep spam rates reported in Postmaster Tools below 0.10% and avoid ever reaching a spam rate of 0.30% or higher.
  • Format messages according to the Internet Message Format standard (RFC 5322).
  • Don’t impersonate Gmail From: headers. Gmail will begin using a DMARC quarantine enforcement policy, and impersonating Gmail From: headers might impact your email delivery.
  • If you regularly forward email, including using mailing lists or inbound gateways, add ARC headers to outgoing email.

Requirements for high-volume senders

I don’t have data on this atm but I would not be surprised if we’re over the 5k emails per day threshold.

  • Set up DMARC email authentication for your sending domain. Your DMARC enforcement policy can be set to none.
  • For direct mail, the domain in the sender’s From: header must be aligned with either the SPF domain or the DKIM domain. This is required to pass DMARC alignment.
  • Marketing messages and subscribed messages must support one-click unsubscribe, and include a clearly visible unsubscribe link in the message body.

Details

SubjectRepoBranchLines +/-
phabricator: verify domain for Google's postmaster toolsoperations/dnsmaster+2 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

brennen created this task.Jan 23 2024, 4:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 23 2024, 4:30 PM
brennen mentioned this in T355449: Ensure wikimedia.org adheres to Google's sender guidelines.Jan 23 2024, 4:32 PM
brennen added a comment.Jan 23 2024, 4:35 PM

Without having dug into the code at all yet, I expect that a List-Unsubscribe just pointing to the existing https://phabricator.wikimedia.org/settings/panel/emailpreferences/ would be simple, while an actual one-click unsubscribe will be a great deal more involved. Ideally this would be handled for upstream in general. I'll file something there.

brennen added a comment.Jan 23 2024, 4:37 PM

Relevant RFCs linked by Google:

ArielGlenn subscribed.Jan 23 2024, 4:37 PM
Pppery subscribed.Jan 23 2024, 5:08 PM
Maintenance_bot added a project: Upstream.Jan 23 2024, 5:29 PM
brennen added a comment.Jan 23 2024, 6:09 PM

Filed upstream: https://we.phorge.it/T15719

Tgr added a parent task: T355712: Ensure Wikimedia complies with Google's new email sender guidelines.Jan 23 2024, 7:40 PM
Dzahn subscribed.EditedJan 23 2024, 7:45 PM

upstream ticket comment pointed out we can run ./mail/volume from /srv/phab/phabricator/bin to check how many mails are being sent.

quote " It just collects all mails created in the last N days and counts them by user.".

currently running that

edit: but it failed like this:

@phab1004:/srv/phab/phabricator/bin# ./mail volume

Killed
LSobanski subscribed.Jan 24 2024, 11:25 AM
jhathaway subscribed.Jan 24 2024, 10:11 PM
LSobanski updated the task description. (Show Details)Jan 25 2024, 4:48 PM
eoghan claimed this task.Jan 26 2024, 4:16 PM
eoghan added a project: collaboration-services.
eoghan moved this task from Incoming to Work in Progress on the collaboration-services board.Jan 29 2024, 10:36 AM
jhathaway triaged this task as High priority.Jan 29 2024, 4:24 PM
eoghan updated the task description. (Show Details)Jan 29 2024, 10:24 PM
eoghan updated the task description. (Show Details)Jan 29 2024, 10:31 PM
eoghan added a comment.Jan 29 2024, 10:54 PM

@jhathaway and I took a look through, and I've updated the checklist above. The tl;dr is that we're looking ok from the phabricator side. We should probably remove the existing spf records that point to ip6:2620:0:861:102:10:64:16:101 ip6:2620:0:860:103:10:192:32:54, since these are essentially redundant but also don't resolve publicly so might run foul of the requirement to have records forward-and-reverse resolvable.

taavi subscribed.Jan 30 2024, 2:01 PM

Is it known/ok that Phab is sending mail from phabricator.wikimedia.org but the DKIM signature is for wikimedia.org?

eoghan added a comment.Jan 30 2024, 2:30 PM

There shouldn't be anything directly sending from phabricator.wm.o, it should route through the mx* hosts

jhathaway added a comment.Jan 30 2024, 7:38 PM
In T355691#9498461, @taavi wrote:

Is it known/ok that Phab is sending mail from phabricator.wikimedia.org but the DKIM signature is for wikimedia.org?

I don't see a dkim signature in the emails I have from phabricator, can you attach an example?

taavi added a comment.Jan 30 2024, 7:41 PM

Interesting, it seems like Phabricator only signs mail sent to non-wikimedia.org addresses. The From: header is no-reply@phabricator.wikimedia.org and DKIM signature uses d=wikimedia.org. Here is an example: {F41732140}

jhathaway added a comment.Jan 30 2024, 8:52 PM

ah, that seems like a bug? However, dkim signature should be okay, since our dmarc record is set to relaxed. Which allows subdomain matching, i.e. dkim: wikimedia.org aligns with from: no-reply@phabricator.wikimedia.org.

Dzahn mentioned this in T355776: Ensure that gitlab.wikimedia.org adheres to Google's sender guidelines.Jan 30 2024, 9:00 PM
gerritbot added a comment.Jan 31 2024, 5:48 PM

Change 994795 had a related patch set uploaded (by JHathaway; author: JHathaway):

[operations/dns@master] phabricator: verify domain for Google's postmaster tools

https://gerrit.wikimedia.org/r/994795

gerritbot added a project: Patch-For-Review.Jan 31 2024, 5:48 PM
gerritbot added a comment.Jan 31 2024, 5:52 PM

Change 994795 merged by JHathaway:

[operations/dns@master] phabricator: verify domain for Google's postmaster tools

https://gerrit.wikimedia.org/r/994795

brennen moved this task from Backlog to Radar on the User-brennen board.Feb 12 2024, 11:18 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 12 2024, 11:30 PM
brennen moved this task from INBOX to Radar on the Release-Engineering-Team board.Feb 13 2024, 10:05 PM
brennen edited projects, added Release-Engineering-Team (Radar); removed Release-Engineering-Team.
eoghan closed this task as Resolved.Mar 8 2024, 1:13 PM

We've ticked all the boxes here for the most part. The two outstanding items are monitoring spam rates and one-click unsubscribe.

The spam rate isn't visible in postmaster tools, which we're attributing to a low spam rate. The one-click unsubscribe is currently with upstream but probably won't gain any traction.

Either way, there's nothing immediately left for us to take care of here.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL